Due to new technology trends in the area of IT services that are increasingly being offered and used in companies - such as private and public cloud products - shadow IT is once again increasingly coming under the scrutiny of decision-makers responsible for IT. However, the phenomenon of shadow IT is actually nothing new. It has been an issue since the beginning of corporate networks, but has recently come back into focus.
But what is actually meant by shadow IT?
Shadow IT is the implementation or use of hardware or software (for example, apps or cloud services) that has not been approved or tested in the company, but is used by company employees without the knowledge or consent of the IT department. It is a situation that occurs in some companies and can create significant security gaps and thus pose a risk, but also offers opportunities.
What creates shadow IT?
There are various reasons for the growth of shadow IT, mostly involving necessity, expediency and justification. However, the motivations for using or creating shadow IT have also changed somewhat over the years. Shadow IT experienced its first growth spurt in the 1980s and 1990s, when personal computers became more widespread. Nowadays, mobile devices and web services in particular are causing a rise in "hidden IT." The increasing trust in digital services - keyword "digital natives" - as well as low acquisition costs for storage, end devices and apps and the growing spread of software-as-a-service offerings also play a role as pull factors.
In principle, it can also be stated that shadow IT arises when the services offered by the IT department do not meet the requirements of the business departments in terms of function and quality. In other words, the needs are not aligned with the IT offerings. This results in business-IT non-alignment. As a result of this discrepancy, shadow IT can emerge. Likewise, high administrative hurdles for the procurement and use of new IT services, inflexible budgets or lack of transparency in IT transfer prices, lack of IT support due to personnel capacity bottlenecks or a lack of expertise, outdated IT solutions due to a lack of innovative spirit on the part of the IT department, and low organizational, geographical or process-related links between the business and IT sides are further push factors for the emergence of shadow IT.
Why is it a risk for companies?
In principle, one can assume that employees act in good faith - that is, they would not knowingly install and use insecure software or software that is critical to data protection. But acting in good faith is not always enough. According to a survey by Statista in 2019, 40% of the companies surveyed stated that they had dealt with one or more cases of cybercrime, hacking or data theft in the last three years - a problem that can cost time, money and nerves and can also, under certain circumstances, permanently damage the trust of customers and partners and thus the reputation of the company.
Besides the security risks in terms of data security, integrity and protection, there are also other disadvantages and problems with the spread of shadow IT in the company. These include compliance conflicts, because shadow IT can lead to the establishment of processes that violate existing compliance rules. In addition, shadow IT itself represents a violation of internal company rules. Also, by definition, shadow IT applications are not managed by IT service management, so that planning of IT architecture and capacities is hardly possible. In addition to the fact that shadow IT applications are often technologically inferior to professionally developed systems in terms of quality, this leads to low sustainability. The low degree of professionalism and the lack of planning often leads to an economic inefficiency of the processes and systems.
It should also be mentioned that sourcing decisions are undermined by the creation of shadow IT: Officially selected outsourcing partners are bypassed, which carries a high risk potential in terms of contractual penalties. Similarly, the preoccupation of staff in specialist departments with IT issues can have a negative impact on the overall performance of the company, as these employees are not engaged in their main tasks. Shadow IT can also disrupt other IT services and affect their functionality and availability, which is another risk. The fact that shadow IT is not involved in release management can, for example, hinder migrations and other change measures.
User satisfaction can also be negatively affected by follow-up problems with the availability and support of shadow IT.
What are the opportunities?
In addition to the risks considered, shadow IT can also bring opportunities.
One example is the high rate of IT innovation that can result from shadow IT. The departments' examination of the opportunities offered by IT and the recognition of an additional benefit for their processes leads to the development of shadow IT under the right conditions. For the IT departments, on the other hand, there are problems uncovering this innovation potential due to their distance from the operational business. Consequently, innovations find their way into the company very quickly via shadow IT. Shadow IT can also lead to an improvement in processes, because shadow IT solutions are very task-oriented and have a strong focus on the internal processes of the business department. Likewise, because shadow IT solutions are close to the needs of the users, they lead to a growing user satisfaction with the IT support in the company as a whole. By lacking the approval process, shadow IT solutions are also flexible and quickly adaptable.
Research has shown that identification with the products used can be very high, leading to increasing motivation.
How to deal with shadow IT in the company?
Despite the opportunities that shadow IT can bring, the risks must not be neglected under any circumstances and shadow IT should not be played down. Rather, both the risks and opportunities mentioned should encourage people to look at the software and IT structure in their own company, and to examine and evaluate it. With the help of a few steps, it can be possible to bring shadow IT under control and security gaps to light. First of all, an overview of possible shadow IT and associated risks should be created. To do this, various questions should be answered with the help of clarifying discussions with the specialist departments. Possible questions could be:
- Which cloud applications are used?
- Which SaaS apps are used and do they overlap?
- Who uses which application?
- How is shadow IT being used? Is the use of these applications in line with company policies?
- Is employees' shadow IT use risky in terms of security and compliance?
- Which SaaS applications show file upload and download activity?
- Which file uploads and downloads in SaaS applications violate data loss prevention (DLP) rules?
- Who is uploading or downloading files with DLP violations?
Once the necessary information has been gathered, the second step is to evaluate it and check the software and requirements used. The following questions can provide guidance:
- Which software can continue to be used?
- Which applications should be replaced?
- What alternatives can be offered to the employees?
In the third and final step, guidelines and control solutions need to be developed and introduced in order to avoid problems with shadow IT in the long term. Even a simple process that states that new software may only be installed by employees from the IT department can help here.